Overview

overview

10

Static

static

5

1e2fab3a42...18.exe

windows7-x64

1

1e2fab3a42...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240506-y1frrahc6v

  • MD5

    1e2fab3a423ffc11c1bc916a500c9085

  • SHA1

    46a473fb927d91424c14dddfc2f425e5a3915d39

  • SHA256

    a8378d35eb92c8427a1f9505e9b12de0059a3e0463a7a465ae1665301dbf0c7c

  • SHA512

    de0067448d6cc9f5faa9073d48c0373e4c67bd08c521f223057cf7fb7ead0aada7a6a273ff92c81c804d2d051c22d29f7ee5ac440e0e5a9c9d75086f66e2bfc5

  • SSDEEP

    24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaiz91j7Arls9Z1q8nwh0oRdXDEpF2R88C5:Uh+ZkldoPK8Yaiz9ire/1zxGgpFs8h

Score
10/10
qulabdiscoveryransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-ntshrui\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 06.05.2024, 20:15:01 Main Information: - OS: Windows 10 x64 / Build: 19041 - UserName: Admin - ComputerName: LFKTDJGL - VideoCard: Microsoft Basic Display Adapter - Processor: 12th Gen Intel(R) Core(TM) i5-12400 - Memory: 8.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Windows Desktop Runtime - 8.0.2 (x64) - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Windows Desktop Runtime - 6.0.27 (x64) - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Windows Desktop Runtime - 7.0.16 (x64) - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 356 - csrss.exe / PID: 444 - wininit.exe / PID: 520 - csrss.exe / PID: 528 - winlogon.exe / PID: 616 - services.exe / PID: 656 - lsass.exe / PID: 672 - svchost.exe / PID: 788 - fontdrvhost.exe / PID: 796 - fontdrvhost.exe / PID: 804 - svchost.exe / PID: 904 - svchost.exe / PID: 964 - dwm.exe / PID: 384 - svchost.exe / PID: 428 - svchost.exe / PID: 1004 - svchost.exe / PID: 1040 - svchost.exe / PID: 1136 - svchost.exe / PID: 1152 - svchost.exe / PID: 1160 - svchost.exe / PID: 1168 - svchost.exe / PID: 1240 - svchost.exe / PID: 1296 - svchost.exe / PID: 1356 - svchost.exe / PID: 1448 - svchost.exe / PID: 1456 - svchost.exe / PID: 1564 - svchost.exe / PID: 1580 - svchost.exe / PID: 1680 - svchost.exe / PID: 1732 - svchost.exe / PID: 1764 - svchost.exe / PID: 1772 - svchost.exe / PID: 1868 - svchost.exe / PID: 1980 - svchost.exe / PID: 1992 - svchost.exe / PID: 2040 - svchost.exe / PID: 1080 - svchost.exe / PID: 2068 - spoolsv.exe / PID: 2076 - svchost.exe / PID: 2148 - svchost.exe / PID: 2212 - svchost.exe / PID: 2340 - svchost.exe / PID: 2348 - svchost.exe / PID: 2452 - svchost.exe / PID: 2576 - svchost.exe / PID: 2632 - sysmon.exe / PID: 2644 - svchost.exe / PID: 2680 - svchost.exe / PID: 2696 - unsecapp.exe / PID: 2956 - sihost.exe / PID: 2788 - svchost.exe / PID: 920 - taskhostw.exe / PID: 3140 - svchost.exe / PID: 3160 - svchost.exe / PID: 3216 - svchost.exe / PID: 3336 - explorer.exe / PID: 3424 - svchost.exe / PID: 3540 - dllhost.exe / PID: 3724 - StartMenuExperienceHost.exe / PID: 3816 - RuntimeBroker.exe / PID: 3884 - SearchApp.exe / PID: 3972 - RuntimeBroker.exe / PID: 1796 - svchost.exe / PID: 5100 - sppsvc.exe / PID: 3864 - svchost.exe / PID: 4384 - svchost.exe / PID: 2236 - svchost.exe / PID: 1616 - svchost.exe / PID: 4824 - OfficeClickToRun.exe / PID: 640 - SppExtComObj.Exe / PID: 4468 - svchost.exe / PID: 4528 - dllhost.exe / PID: 2224 - svchost.exe / PID: 736 - TextInputHost.exe / PID: 4724 - RuntimeBroker.exe / PID: 4808 - upfc.exe / PID: 2376 - svchost.exe / PID: 1084 - backgroundTaskHost.exe / PID: 4832 - backgroundTaskHost.exe / PID: 1848 - spwmp.exe / PID: 1612 - backgroundTaskHost.exe / PID: 348 - RuntimeBroker.exe / PID: 5104
URLs

http://teleg.run/QulabZ

Targets

    • Target

      1e2fab3a423ffc11c1bc916a500c9085_JaffaCakes118

    • Size

      1.5MB

    • MD5

      1e2fab3a423ffc11c1bc916a500c9085

    • SHA1

      46a473fb927d91424c14dddfc2f425e5a3915d39

    • SHA256

      a8378d35eb92c8427a1f9505e9b12de0059a3e0463a7a465ae1665301dbf0c7c

    • SHA512

      de0067448d6cc9f5faa9073d48c0373e4c67bd08c521f223057cf7fb7ead0aada7a6a273ff92c81c804d2d051c22d29f7ee5ac440e0e5a9c9d75086f66e2bfc5

    • SSDEEP

      24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaiz91j7Arls9Z1q8nwh0oRdXDEpF2R88C5:Uh+ZkldoPK8Yaiz9ire/1zxGgpFs8h

    Score
    10/10
    qulabdiscoveryransomwarespywarestealerupx

    • Qulab Stealer & Clipper

      Infostealer and clipper created with AutoIt.

      stealerqulab

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks